Protect Your Password

The key to locking out hackers is being unpredictable

Password security is a big deal, and if you don't think it is, then someone might be hacking into your computer even as you read this.

A strong password isn't foolproof, but it proves that you're no fool. And it might protect you from compromised data, a broken computer or identity theft.

Your bank account, your personal e-mails and lots of other stuff are at risk with weak passwords.

A discussion of password security isn't intended to get the attention of bad guys. They already know this stuff. The idea is to get the attention of computer users who are vulnerable to this form of attack. A few minutes spent strengthening a password will thwart most attacks.

"A good password is the most important part of Internet security," said Robert Pacheco, owner of Computer Techs of San Antonio. "It's the beginning and end of the issue. You can't stop [hacking]. You do what you can do to prevent it. You just try to stop most of it."

A strong firewall, as well as spyware- and virus-detection software, protect a computer's so-called "back door," Pacheco says, where a hacker can gain access through various cyber threats.

Passwords, however, protect information from a frontal assault, via the computer's keyboard. From his mom-and-pop computer repair store, Pacheco sees so many password-related problems that he printed up instructions imparting his wisdom on flummoxed customers. The simple suggestions give customers and victims ideas of what to avoid when securing their digital life.

The most egregious example Pacheco has been asked to untangle: An estranged friend got access to the other guy's computer. The "friend" was able to guess pretty quickly the password -- the word "password," believe it or not -- and locked his ex-friend out of his own computer, all of his files and every single online account.

Pacheco only sees good passwords at work when thieves come in off the street, wielding a laptop and a sob story about forgetting the password. His store policy demands a driver's license to establish identity and a receipt to prove computer ownership before he'll crack a password.

Cracking a bad password, says Larry Rogers, isn't that hard.

The type of hardware being used can be a clue, says Rogers, senior technical staffer in the CERT Program, a Web security research center in Carnegie-Mellon University's software engineering institute. It's easy to find a default password, typically in the user's manual on a manufacturer's Web site. If the user hasn't changed the default, that's an easy break-in.

Other people use easy-to-remember passwords. Trouble is, Rogers says, they're easy-to-guess passwords too. Get to know the person -- a technique that geeks refer to as "social engineering" -- and the password is easy to guess. There are message-board stalkers who can guess passwords in a half-dozen tries.

Hackers rely on a lot of methods. Some, Rogers says, employ "shoulder surfing." That means what it sounds like -- looking over someone's shoulder as that person is typing in a password. Seriously. It has worked, Rogers says.

Software works here too.

"There are programs that do brute-force attacks with dictionary words and approach it from every angle," Roger said. "It's based on what people have been known to do."

Most of the password hacking activity these days goes on at homes, in school or in public settings. These days, many workplaces mandate how a password is picked.

Many companies also require that passwords be changed regularly and that pieces of older ones can't be re-used for months. And user names cannot be part of the password.

For the home user, however, password safety requires more than on-the-fly thinking. A well-thought strategy can result in a system that's easy to remember and hard to guess.

Pacheco suggests a system built around a main word for all instances. The distinction is that the name of the site is added somewhere. For example, if the main word is "eggplant," the password might be "eggyyplant" for Yahoo, "eggplantgg" for Google or "wleggplant" for Windows Live. He suggests listing the variations in an Excel spreadsheet.

To throw off shoulder surfers, Rogers suggests picking words with letters from different sides of the keyboard. "Freeze" is a bad main word choice since all the letters come from the left side of the keyboard. "Apostrophe," on the other hand, mixes up letters from both sides.

Of course, password security won't mean much if a user leaves a machine open to cyber-attack, Rogers says. A hacker can plant software that records all keystrokes, and that will surrender passwords, even if they're changed.

But assuming that the back door is safe, the front door can be locked securely too.

DOES YOUR PASSWORD PASS THE TEST?

You can check the strength of your password online at various sites. Users can tweak and hone a password at most sites to get a good one.

* passwordmeter.com

* securitystats.com/tools/password.php

* passwordstrength.net

* tools.pingates.com/password

H0W 2 MAYKE GOOD PA$$W0RDZ

DO

* Make passwords eight characters or more.

* Use a main word for all your accounts and sites and tweak it for each site (add GG for Google, YA for Yahoo, etc.).

* Include caps and symbols in the password.

* Put them all together in a spread sheet -- if you must write it down.

* Better idea: Just remember them.

DON'T

* Use names.

* Use nicknames.

* Use addresses

* Keep written notes about passwords, i.e. a "sticky" on your monitor, to jog your memory.